© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v5.01-1 Secure IP Telephony Hardening the IP Phone.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Monitor and Manage IP Telephony Introducing Cisco Unified CallManager Serviceability.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. CIPT1 v Administration of Cisco Unified CallManager Release 5.0 Configuring Cisco Unified CallManager.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Protecting Against Spoof Attacks.
© 2006 Cisco Systems, Inc. All rights reserved. CIPT1 v Deployment of Cisco Unified CallManager Release 5.0 Endpoints Configuring Cisco Unified CallManager.
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Module Summary Cisco Unified CallManager provides several features to prevent toll fraud.
© 2006 Cisco Systems, Inc. All rights reserved. CVOICE v Configuring Voice Networks Configuring Dial Peers.
© 2006 Cisco Systems, Inc. All rights reserved. Course acronym vx.x#-1 © 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Enable IP Video Telephony.
© 2006 Cisco Systems, Inc. All rights reserved.BCMSN v Defining VLANs Propagating VLAN Configurations with VTP.
© 2006 Cisco Systems, Inc. All rights reserved. CIPT1 v Module Summary Cisco Catalyst switches provide three important functions in an IP telephony.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v BGP Overview Understanding BGP Path Attributes.
© 2006 Cisco Systems, Inc. All rights reserved.ONT v Describe Cisco VoIP Implementations Implementing Voice Support in an Enterprise Network.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Identifying Voice Networking Considerations Identifying Design Considerations for Voice Services.
Cisco Internetwork Troubleshooting Creating End-System Network Configuration Documentation © 2005 Cisco Systems, Inc. All rights reserved. CIT v
© 2006 Cisco Systems, Inc. All rights reserved. ICND v Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Operating and Configuring Cisco IOS Devices Configuring a Router.
© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure IP Telephony Understanding Cisco IP Telephony Authentication and Encryption Fundamentals.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Implementing High Availability in a Campus Environment Configuring Layer 3 Redundancy with.
© 2005 Cisco Systems, Inc. All rights reserved. IPTX v Configuring Additional Cisco CallManager Express Features Configuring Cisco CallManager Express.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Secure IP Telephony Hardening the IP Phone

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Threats Targeting Endpoints

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Threats Targeting Endpoints Physical and web access to network configuration settings Corrupting the image and the configuration file Connected PC sniffing the voice VLAN Attacking from network, listening to the communication

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Endpoint Infiltration and Attack Endpoints can be attacked by modifying the image and configuration file. Endpoints can be wire-tapped: –Behind the switch of the IP phone –Man-in-the-middle attack with GARP Information about network infrastructure can be uncovered: –DHCP, DNS, default router, Cisco Unified CallManager, TFTP –These could be next targets of the attacks

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Possible Attack Paths Cisco Unified CallManager TFTP, SQL, Web Server 3. Attack operating system and Cisco Unified CallManager services. 4. Attack network devices and services Network Switch Attacker 4 1. Listen to conversation. 2. Modify the IP phone image or configuration, or start man-in- the-middle attack. Gateway

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Stopping Rogue Images from Entering Phones

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Image Authentication Phone image authentication was introduced with Cisco CallManager Release 3.3(3): –Image signed by Cisco manufacturing –Current image verifies signature and phone model information of new image before accepting it Phone configuration file authentication was introduced with Cisco Unified CallManager Release 4.0. –Configuration file signed by Cisco Unified CallManager –Signature verified before new configuration is applied Phone configuration file encryption was introduced with Cisco Unified CallManager Release 5.0. –Configuration file encrypted by Cisco Unified CallManager –Phone decrypts received configuration file

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v IP Phones Validate Signed Firmware Image IP phone rejects image because of: Modified image from an attacker Incorrect IP phone model image Cisco Unified CallManager and TFTP Server Cisco Unified IP Phone 7961 OK Attacker with Modified Image Cisco Unified IP Phone 7961 Cisco Unified IP Phone 7912

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Security Settings Overview

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Phone Security Options in Cisco Unified CallManager Protect the IP phone by disabling security settings: Speakerphone PC port Settings access GARP PC voice VLAN access Web access

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Disabling PC Port, Settings Button, and Web Access to the Phone

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Hardening the IP Phone with Product-Specific Parameters Disable the PC port: –For example, for lobby phones –Attackers do not get access to the network Disable settings access: –Disabled option deactivates the Settings button completely. –Restricted option grants access to contrast and ringer menu only.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v IP Phone Web Service Information displayed similar to the Settings button on the IP phone Discloses information about network infrastructure Disable web access for a phone to stop the web service

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Ignoring Gratuitous ARP

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v GARP Usually ARP operates in request-response fashion. Learned MAC addresses are added to a local ARP cache. GARP packets are ARP packets that have not been requested: –Are sent by a station that announces its own MAC address –Allow update of ARP caches in receiving devices –Usually sent after MAC address changes –Can be misused for packet redirection in a man-in-the-middle attack

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v GARP Attack Stop GARP attacks by disabling GARP at the IP phones GARPI am PC of the Hacker 1. Tell the IP phone that I am the default router. 2. Listen to the communication and relay the traffic from the IP phone to the default gateway. 2

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Block PC Access to the Voice VLAN

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Voice VLAN Access at the PC By default, the IP phone sends all traffic to the PC: Including the voice VLAN traffic Allows sniffing of phone conversations at the PC PC can also send data to the voice VLAN Data VLAN 1 Voice VLAN 22 PC Also Receives Voice VLAN Traffic

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Disable PC Voice VLAN Access The IP phone will not forward voice VLAN-tagged traffic to the PC when received from the switch. The IP phone will not forward voice VLAN-tagged traffic to the switch when received from the PC. Sniffing voice VLAN traffic at the PC is impossible. For troubleshooting, sniff the network devices. Different behavior depending on phone models: –Cisco Unified IP Phone 7940 and 7960 block access to the voice VLAN only but allow PC to send and receive frames tagged with VLAN IDs other than the voice VLAN. –Enhanced phones (Cisco Unified IP Phones 7971, 7970, 7961, 7941, 7911) have an additional setting: Span to PC Port. If disabled, PC can send and receive only untagged frames. If enabled, PC can send and receive only untagged frames and frames tagged with voice VLAN ID (if voice VLAN access is enabled).

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authentication and Encryption on Cisco Unified CallManager Administration and IP Phones

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Authentication and Encryption in Cisco Unified CallManager Environments Authentication and encryption options are available for: Signaling between IP phones (SIP and SCCP) and Cisco Unified CallManager or SRST using TLS Cisco Unified CallManager SIP digest authentication for SIP trunks and third-party SIP phones Cisco Unified CallManager intracluster communication, trunk, and gateway signaling using IPsec Media exchange between gateways or phones using SRTP SRST PSTN WAN

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v Summary Attackers will try several attack paths, including attacks against the IP phones. IP phones can validate images and configuration updates. Every IP phone has specific product configuration menus. Disable settings access and web access to prevent hackers from viewing the network configuration. Disable GARP to prevent man-in-the-middle attacks. Block the PC port if no PC is attached to it, and generally block access to the voice VLAN to avoid unauthorized network access. TLS secures signaling, and SRTP secures the audio stream.

© 2006 Cisco Systems, Inc. All rights reserved.CIPT2 v